- Pike Finance has suffered a second attack in three days.
- The first attack happened on April 26.
- Both attacks are related to the same vulnerability.
Pike Finance has suffered a second exploit in under a week, losing over a million in assorted cryptos across the Ethereum, Arbitrum, and Optimism chains.
The Circle-backed decentralized finance (DeFi) protocol suffered the first attack on April 26, two days after it enabled USDC withdrawals via the CCTP protocol. Acknowledging that it lost 299,127 USDC in the aftermath, Pike Finance said the attack was due to a “USDC withdrawal vulnerability.”
Hackers Exploit ‘USDC Vulnerability’ for the Second Time
On May 1, Pike Finance alerted the X (Twitter) crypto community to the second attack, noting that “this exploit is related to the initial USDC vulnerability reported last week on the 26th of April.”
Sponsored
Per the alert, Pike Finance upgraded the spoke contracts and included an additional dependency within the smart contract code to pause the protocol following the first exploit. The dependency introduced new variables, resulting in the position occupied by the *initialized* variable being taken by other variables.
The protocol said this led to a “misalignment in storage mapping.”
“This misalignment caused the contract to behave as if it was uninitialized, since the *initialized* variable could no longer be accessed. As a result, attackers were then able to upgrade the spoke contracts, bypassing admin access, and as a result, withdraw funds,” the protocol wrote.
The exploit resulted in the theft of over $1.6 million cryptos, including 99,970.48 ARB, 64,126 OP, and 479.39 ETH. Pike Finance offered a 20% reward for the return of the funds as it pursues an investigation.
Read how the Lazarus group evaded authorities after sealing $200M in crypto:
Lazarus Evading Authorities: Blockchain and Laundering $200M
Stay updated on a recent phishing attack on Velvet Capital:
Velvet Capital Goes Offline to Allay Frontend Phishing Attack